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(57) ABSTRACT 

In a method for authenticating persons, video information of 
certain body features associated with a user or a user group 
is recorded in a point of presence (POP). Such recorded 
video information is processed to derive biometric keys, 
which are stored in tables of a biometric server and in a 
SIM-card of the user. Each biometric key in the tables is 
assigned to a respective user. When the user inserts the 
SIM-card containing a personal biometric key into a com- 
munication terminal device, video information describing 
current body feature of the user is recorded via a video 
sensor that is not in the communication terminal device. The 
recorded current video information is then transmitted from 
the video sensor to the communication terminal device. To 
authenticate the user, the recorded current video information 
is processed to derive current biometric keys and compared 
with pre -stored biometric keys. The authenticity of the user 
is ensured if the comparison yield a positive result. 

23 Claims, 1 Drawing Sheet 
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METHOD, SYSTEM AND DEVICES FOR 
AUTHENTICATING PERSONS 

This application is the national phase of international 
application PCT/CH97/00424 filed Nov. 7, 1997 which s 
designated the U.S. 

The present invention relates to a method, a system and 
devices for determining the authenticity of a user or a group 
of users of a communication terminal device. 

Aside from conventional methods for authenticating per- 10 
sons by means of photographs and personal identification 
papers, methods for authenticating persons by means of 
biometric features are also known in the prior art. In these 
methods, measurable and recordable body features are reg- 
istered as biometric keys and, at the time of authentication, 15 
compared with the respective body features of a person to be 
authenticated. Known examples of such b*io"metricifeatures) 
i^lu"de*finf^rprints, eye plutems "facial contours, orvoice 
characteristics:™ 

k It is also known that a personal computer (PC) can be 20 
equipped with means, an external video camera among 
others, which make it possible for the PC to record in a 
learning process and to reuse at a later point in time for 
authentication purposes the face, respectively some facial 
features, of a user, the PC granting the user access to the PC 25 
only if it recognizes the facial features. 

The combination of video sensors with communication 
terminal devices is known in the context of^S^lll^phony,^ 
which is also available in a mobile version where atvideor) 
clmTeTa^is^eonnectexTto^ 30 
* ~A method is described in DE 39 43 097 Al which 
transfers biometrically measurable data, such as an eye 
pattern or a fingerprint, as search criteria over communica- 
tion networks, among others by means of a mobile 
telephone, for retrieving stored medical data. Essentially, in 35 
this method, an individual is identified by means of biomet- 
ric features in order to access his medical data. However, it 
is not the intention of this method to verify the authenticity 
of this individual nor to ensure the authenticity and the 
non-deniable origin of the data exchanged over the commu- 40 
nication network in this method. 

It is the object of this invention to propose a new and 
improved method and system for determining the authen- 
ticity of a user or of a group of users of a communication 
terminal device. 45 

According to the present invention, body features are 
stored in a secured way as gp^tfie|ke>ysionjaipersonal- 
SJMscard*?and in that this ^SIM-card is inserted into a 
communication device by a user, said deviee^determining 
curre nt^body- f eatures-f rom"ttie~user7' deteTroining "current- 50 
mometric^keys therefrom, and^comparing -these with the 
biometrickeysstoredon-the-card in order to'authenticate the 
uljeF.^ This has the advantage that a personal card can 
authenticate the user in different communication terminal 
devices without the user having to use passwords, which are 55 
often forgotten or may be entered unlawfully, and that a user 
who acquired the SIM-card improperly, for instance through 
theft or accidental finding, is not authenticated. An addi- 
tional advantage is the fact that the SIM-card can be pre- 
pared for a user group in that biometric keys are stored 60 
therein for all users belonging to the group. 

In order to prevent improper authentication, for instance 
through photographic imitation of body features, body 
movements are included in the biometric keys. 

According to the invention, auj]^Jie^i6^^f*mT\iser 65 
through the communication-terminal" device^an be' used- to 
allow or refuse a user- the~usage-of me 'commutation-- 
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termmal^evice~in correspondence with the result of the 
authentication. According to the invention, the result of the 
authentication can also be transmitted in a wireless manner, 
particularly by a mobile communication terminal device, to 
an external secured device which, for its part, can permit or 
refuse the user access to its services or buildings. 

According to the invention, the first recording of bio- 
metric keys is executed in a point of presence (POP) 
connected to a communication network. From there, they are 
transmitted in a secured manner via the communication 
network to a biometric server where they are stored in tables, 
at least one biometric key in a table being assigned to a 
corresponding user. Additions to and updating of biometric 
keys can also be executed in the POP. Moreover, with the 
present invention, it is possible to update biometric keys 
directly from the communication terminal device, provided 
that for the respective user there is already a plurality of 
biometric keys known at the biometric server. 

In the present invention, for the authentication and for the 
transmission of biometric keys, security services are pref- 
erably used, for example Trusted Third Party (TIP) services, 
in order to ensure the confidentiality, authenticity, integrity 
and non-deniable origin of the data exchanged via a com- 
munication network as well as the authenticity of the sender 
of these data thereby exchanged. 

In the following one embodiment of the present inven- 
tion is described by way of example. The embodiment 
example is illustrated by means of the following appended 
FIGURE: 

MgrJIBshows a block diagram comprising a communi- 
cation network and, connected to it, a|mobileieommunica^ 
tion4errm^al"devicc~with-a-SIM-card"arid a' video Tensor; 'a*^ 
b*iblrletncl£rv^ and 
a "point of presence, as well as a secured device. 

The reference numeral 9 refers to a point of presence 
(POP), for instance connected to a point of sale of a network 
operator or of a service provider company, ^h^ppintaofc 
presence^ is provided with at least one computer which, for 
instance , Stso^serve s~ as^co mmunicatio n~terfninal"~devicei 
preferably a personal computer or a work station connected 
to a communication network 5, for instance a fixed network 
15. In addition, theT^int*of«presence^9-is»providedfwith 
peripheralsToF recofding~body~f eaturesr which peripherals 
are connected to the computer and are not ilfustrated^fore 
mstanc^a^video-camera^connec^^ 
video^cableraiid a Video* interface card. The computer is 
provided with a program which can access and control the 
peripheral devices and particularly read, temporarily store 
and process data recorded by the peripheral devices. The 
program is also provided with a user interface by means of 
which it can be used, for example by an operator who is an 
employee of the POP 9. Th^fisTr^interf ace helps the operator 
to recordthe body featured of a client, for examplehisfacial 
fea'tures 7; eye patterns, or fingerprints' 8, by providing 
•modules known to one skilled in the art, for example 
modules to adjust the video camera, to adjust the contrast, to 
appropriately display picture segments, and also to indicate 
to the operator when the biometric keys derived by the 
program are completed, after the program has checked them 
on site for authentication purposes with the assistance of the 
client. 

Particularly for recording body movements, it is neces- 
sary that the program provides the client and the operator via 
the user interface with instructions, for example to execute 
certain specific movements, such as mouth or eye 
movements, for example. At this point, it is important to 
mention that in an embodiment variant the user interface can 
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be fully automated for recording biometric keys, without the manner in the table 4. Thereafter, the SIM -cards, which are 

need for an operator, but by giving instructions directly to thus personalized, can be passed to its user or its user group, 
the cheat. In such an embodiment variant, the computer and For a secured transmission and storage of biometric keys, 

its screen and the camera may be arranged in a manner security services, for instance trusted third party (TTP) 

similar to the one known from automatic passport photo 5 services, are preferably used to ensure the confidentiality, 

machines or automatic teller machines. the authenticity, the integrity and the non-deniable origin of 

Aside from visual biometric keys, voice features can be this transmitted data. It is also thoroughly possible to 

recorded correspondingly, by means of peripheral devices, execute the encryption by means of a point-to-point method, 
such as microphones and audio interface cards, and can be Moreover, it is also possible to offer further services in 

stored as biometric keys. 10 t^^g^^tpartieularlyi'services for updating biometric keys, 

^ejrecordediand^derived'biometric keys of-a-chent can foftinstancebecause of changes i due- to agings or services- for 

be storedin-acorresponding personal user profile; they can completing or adding additional biometric^keys-or other- 

also be assigned to a user group. The program and its user security "information^ which further services can be imple- 

interface are provided with the respective components, mented by one skilled in the art according to the above 

which can be implemented easily by one skilled in the art, 15 descriptions, 
for recording related personal data and for storing this data T^|u^ej^anrinsert"his^pe7so^ 

in respective user or user group profiles. Moreover, addi- munication terminal device^l^d" turn on the device. In this 

tional security information, such as security levels, for e'xample, the«eommunieation terminal~device-l~is a~ mobile^ 

example, can also be recorded. Security levels can be used, radio telephone; whicrf isequippedwitha" videcfsensor 2~for- 

for instance, to divide secured devices 13 into different 20 recording body" features, sucrws /eye patterns 6, facial 

levels of access rights to different services, for example, the features 7, or fingerprints 8, for example; ThTvideosensor- 

access rights of a user may be limited to conduct conver- '2*e"an be directly built into the mobile radio" telephone 1 r or^ 

sations via the mobile radio telephone 1, whereas another 'it'ean be inserted into theSIM^card 3 interface of the mobile 

user may execute in addition also other functions, such as radio telephone 1 by' means of an adapter, which itself may 

selecting and executing special services via the mobile radio 25 comprise an interface for receiving a SIM-card 3. Mfcr*^ 

telephone 1. Other examples for additional security tuming^on'te'mobilerradio^telephone-ly an*authentication- 

information, which can be entered and stored, include infor- program is started; which may be located in the SIM-card 3, 

mation relating to the duration of validity, for example in for instance, and the user is requested, for example by means 

order to limit the validity of certain rights to a specific of the display (not illustrated) of the mobile radio telephone 

duration of time or point in time, location information, for 30 1* to look into the video sensor 2, to put a specific finger onto 

example in order to limit access rights to devices or services the video sensor 2 and/or to talk into the mobile' radio 

to specific geographic areas, or personal passwords. telephone 1. TrleTdatavrc^ video sensor 

In order to prevent improper assignments, it is important e>2*and, if applicable, by means of the microphone (not 

that the assignment of the biometric keys to a user profile or illustrated) of the mobile radio telephone 1, isf temporarily- 

to a user group profile is handled in a controlled manner, for 35 stored-by the authenticatiotfprogramr Frorn ttfis<3ata, current 

instance exclusively by an operator, under strict authentica- biometric keys are derived which are -temporarily stored and 

tion conditions, for example by means of multiple identifi- compared to the stored biometric keys 4. In addition to this 

cation papers with photographs and possibly with confirm- direct comparison, the authenticity and the integrity of the 

ing testimony from a present third party. stored biometric keys 4 can be confirmed by means of TTP 

For completing the recording of the biometric keys, the 40 services by the biometric server 10, for example. *If*the" 
user profiles or user group profiles with the biometric keys comparison of thecurrent biometric key to the biometric key 
and the security information are transmitted by the program ^stored in the SIM-card 3 turns out to be positive and if the 
of the computer in a secured manner via a communication stored biometric keys 4 are authenticated positively by the 
network 5 to a server for maintaining theibiometric^keysrio biometric server 10, further ^usage~of^the^ mobile" radio 
the following paragraphs referred to as bl^rneTHc^se^veplOr ^ telephone"!" may be 'permitted; for example. Otherwise^ 
where they are stored for the respective user or user group further usage of the mobile radio telephone 1 by this user 
inttablcsyll^c ttnne^ server 10: For one may be prevented and the mobile radio telephone 1 may be 
skilled in the art it is clear that there are different possibilities turned off, for example. PeTmissidn^may be-sustained untiK 
for implementing the biometric server 10 with the tables 11, themobile-radio telephone 1 is turned off- again or it may be 
For example, the tables 11 can be located in a database 50 time' limited, in-that the user has to be" authenticated again 
server which is located on a computer together with the after a predefined period r this may be executed automatically 
biometric server or which is located on another computer during usage of the mobile radio* telephone 1, for example, 
connected to the computer of the biometric server 10 via a Preferably, the SIM-card 3 communicates with the bio- 
communication network. For one skilled in the art, there are metric server by means of special short messages which are 
also different variants for storing the information in the 55 transmitted via a mobile radio network 16, for instance 
tables 11, which will not be gone into in more detail here. according to the GSM-standard, within the communication 
1»h^same T inf61m^ti6n"islikewise s network 5, to a SIM-server 12. Said SIM-server 12 is 
card~3of the userrpr^erably^GSM'cardr'or ori*possibly connected to the communication network 5 via the connec- 
severalSIM- cards 3 ofVuser^group in corresponding tables tion 17 and forwards these special short messages, according 
47in that it is transmitted by the POP 9 to a SIM-server 12, 60 to the SICAP method described in EP 0689 368 Bl, for 
and from there, according to the SICAP method described in further processing to the biometric server 10 via the con- 
EP 0 689 368 Bl, by means of special short messages via a nection 18. 

mobile radio network, for instance according to the GSM In the case where a plurality of biometric keys 11 of the 

standard, to the SIM card, and is stored there. pnWndther- user are known at the biometric server 10, itgisfpossiblestor 

variantrthe~SIM : cards 3 "are inserted in a speci al'interface 65 update/Jnometric keys 11, which have changed, for instance, 

(which is not illustrated) of the respective computer in the du"e~to aging, directiy from the mobile radio telephone 1. 

POP9 and the program stores the information in a secured This can take place on condition that the user was authen- 
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tifcated-throughaHeast a~ second biometric key which does 
not" need" to be~changed and that the quality 'of the video 
information to* be Used foMipdatihg a first biometric key 
meets predefined minimum requirements: For example, 
these requirements may be requirements on minimum light 
conditions or image contrast or requirements on the maxi- 
mum deviation of the new biometric keys from the old 
biometric keys. 

In a variant, the authentication is not primarily used to 



peripheral devices for recording body features. Moreover, 
ttie^application^pf-the authentication :does: not- need-to be 
restricted to access control for communication terminal 
devices or external secured "devices 13, but may also be 
perfectly well applied to controlling access to services, 
particularly to services available via the communication 
network 5, which may comprise the Internet. In these cases, 
the result of the authentication is transmitted to the respec- 
tive service provider, for instance an automated Internet site, 



control usage of the mobile radio telephone 1, but the result 10 which can permit or refuse services accordingly. Possibly, 

of the authentication according to the description above is the result of the authentication is transmitted to the service 

transmitted in a wireless and secured manner to an external provider together with information about the user's access 

secured device 13, which on its part permits or refuses the rights to the respective services or with personal data of the 

access to the device 13 accordingly. Together with the result user, as was described above in connection with secured 

of the authentication, personal data of the authenticated user 15 devices 13. 
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may also be transmitted to the secured device 13 so that the 
secured device 13 may permit or refuse access on the basis 
of this personal data. In another variant, additional security 
information of the user, such as security levels, location 
information, and information about the duration of the 
validity, for example, is transmitted to the secured device 13 
together with the result of the authentication. Based on this 
security information, the secured device 13 may make the 
decision about permitting or refusing access. In another 
variant, the secured device 13 transmits, on request, infor- 
mation about its identity to the mobile radio telephone 1. 
With this information and by means of additional security 
information of the user, such as security levels, location 
information, and information about the duration of the 
validity, for example, the mobile radio telephone 1 may also 30 
make decisions during the authentication process about the 
user's access to the respective secured device 13 and trans- 
mit the result to the secured device 13. For example, the 
external secured device 13 is an apparatus, for instance an 
automatic teller machine or a video terminal for information 
inquiries, an entrance to a secured building, such as a secret 
industrial manufacturing installation, a police headquarter, 
or a nuclear power plant, for instance, or the entrance to a 
restricted area, such as an army base, an airport or a factory, 
for example. The wireless transmission can be performed, 40 
for example, in a contactless manner via an inductive 
interface 14 by means of an electromagnetic coil located in 
the SIM-card 3. The mobile radio telephone 1 can also 
perform the transmission to the secured device 13 by means 
of a contactless infrared interface (not illustrated) or by 45 
means of short messages. The respective transmission takes 
place in a secured manner, for example by using TTP 
services or by means of a point to point method. 

In a further variant, the video sensor is located outside 
the mobile radio telephone 1, for example in the external 
secured device 13. In this variant, the video information is 
recorded by the external video camera and transmitted to the 
mobile radio telephone for evaluation. The wireless trans- 
mission may be performed, for example, in a contactless 
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It is thoroughly possible that this method and system may 
be offered by a service provider as a payable service to third 
parties, who may be interested, for example, in protecting 
their devices, buildings, areas, or services. 
What is claimed is: 

1. A method for determining the authenticity of a user or 
a user group of a communication terminal device, compris- 
ing: 

recording video information of body features associated 
with said user or said user group in a point of presence 
(POP); 

processing said video information to derive specific fea- 
tures as biometric keys; 

storing said biometric keys in tables of a biometric server 
and in a SIM-card of said user or said user group, at 
least one of said biometric keys being assigned in a 
table to a respective user; 

inserting said SIM-card into a communication terminal 
device by said user, said SIM-card containing at least 
one personal biometric key; 

recording current video information of at least one body 
feature associated with said user via a video sensor 
located outside said communication terminal device, 
wherein said current video information is transmitted 
from said video sensor to said communication terminal 
device for further processing; 

processing said current video information to derive at 
least one specific feature as a current biometric key; 

determining the authenticity of said user by comparing 
said current biometric key of said user to said stored 
biometric keys, wherein the authenticity is ensured if 
the comparison is positive and the authenticity is not 
ensured if the comparison is negative. 

2. The method according to claim 1, wherein said video 
sensor further registers movement which is used in said 
determining the authenticity. 

3. The method according to claim 1, wherein said SIM- 
card is capable of storing said current video information, 



manner via an inductive interface 14 by means of an 55 processing said current video information to derive current 



electromagnetic coil located in the SIM-card 3. The secured 
device 13 may also perform the transmission to the mobile 
radio telephone 1 by means of a contactless infrared inter- 
face (not illustrated) or by means of short messages. The 
respective transmission takes place in a secured manner, for 
example by using TTP services or by means of a point to 
point method. 

Here too, it must be mentioned that, aside from mobile 
radio telephones 1, other communication terminal devices, 



biometric keys, and determining the authenticity of said user 
by comparing said current biometric keys with said stored 
biometric keys. 

4. The method according to claim 1, wherein secure 
60 Trusted Third Party (TTP) services (TTP services) are used 
to transmit at least certain messages to ensure 
confidentiality, authenticity, integrity and non-deniable ori- 
gin of the data exchanged via a communication network as 
well as the authenticity of the sender of the data thereby 



such as personal computers, laptop computers, or palmtop 65 exchanged. 

computers, for example, may execute this authentication 5. The method according to claim 1, wherein said TTP 
method, if they are equipped with a SIM-card 3 and with services record additional security information in said POP 
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and store said additional security information in tables of 16. The method according to claim 1, wherein a video 

said biometric server and in said SIM-card, said additional sensor located in said communication terminal device 

security information being assigned to respective users or records said current video information, 

user groups in said tables and being used in said determining 17 . The method according to claim 1, wherein said current 

the authenticity. 5 video information is transmitted to said communication 

6. The method according to claim 5, wherein said addi- terminal device by induction via a coil in a SIM-card. 
tional security information comprises security levels. 18 ^ met h 0 d according to claim 1, wherein said current 

7. The method according to claim 5, wherein said addi- vidco m f ormation transmitted to said communication 
tional security information comprises information about the termma] devfce by means of infrared 

duration of validity. „ 10 19. The method according to claim 1, wherein said current 

8. The method according to claim 5, wherein said addi- vidco information ^ transmittcd t0 said communication 

tional security information comprises location lniormation. . . . « . , , . . 

a r-rn j j • t , ■ - . . j j- terminal device by means of short messages. 

9. The method according to claim 5, wherein said addi- ■ A . J f . ^ 

tional security information comprises passwords. . ?°- ^ method accordm S t0 c] ™* X > wl f ein said current 

10. The method according to claim 1, wherein existing 15 Vldc0 ^formation is transmitted to said communication 
information associated with respective users or user groups terminal device using said TTP services. 

can be updated in said POP via said TTP services. 21 ^ method according to claim 1, wherein commu- 

11. The method according to claim 1, wherein said nication between said SIM-card in said communication 
biometric keys stored in said tables of said biometric server terminal device and said biometric server is conducted by 
and in said SIM-card of a communication terminal device 20 means of special messages via a SIM server. 

can be updated directly from said communication terminal 22. The method according to claim 1, wherein a user is 

device via said TTP services. permitted to use said communication terminal device if the 

12. The method according to claim 1, wherein said authenticity of said user is ensured and said user is not 
biometric keys include facial features. permitted to use said communication terminal device if the 

13. The method according to claim 1, wherein said 25 authenticity of said user is not ensured. 

biometric keys include eye patterns. 23. The method according to claim 1, wherein said video 

14. The method according to claim 1, wherein said information is transmitted from said video sensor to said 
biometric keys include fingerprints. communication terminal device through wireless transmis- 

15. The method according to claim 1, wherein said sion. 
biometric keys further include, in addition to visual features, 30 

recorded voice features. ***** 
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